Changed several functions to filters, where appropriate.
Get-NetShare, Get-NetSession, Get-NetLoggedOn, Get-NetRDPSession, Invoke-CheckLocalAdminAccess, Get-LastLoggedOn, Get-CachedRDPConnection, Get-NetProcess are now filters, better handle pipeline input, and now return an augmented result object with the queried ComputerName as a field
Replaced RemoteUserName/RemotePassword with -Credential parameter in Get-CachedRDPConnection and Get-NetProcess
modified output object for Get-NetShare to be a proper object
Various bug fixes and better parameter validation
The 'Install-ServiceBinary' function fails on an edge case where the
service's file permission does not include the 'Modify' permission but
does include the 'Write' permission
(https://technet.microsoft.com/en-au/library/dd349321(v=ws.10).aspx). In
this scenario, renaming the original service file for backup purposes
will result in 'Access Denied' message. Fixing this requires that the
file be copied to service.exe.bak instead of renamed to service.exe.bak.
Pester tests to the function 'Test-ServiceDaclPermission' were added in
order to increase confidence in its reliability. In general, my
intention was to replace the current functionality of the service
management functions such as Invoke-ServiceStart, to not use blindly
'sc.exe start' but rather consult with the DACL permissions and base the
decision on that. Unforunately, further investigation lead me to the
conclusion that retrieval of the service's DACL permissions requires
that an additional DACL permission (RC) be set. This may lead to an edge
case that could miss a potential privilege escalation condition and
thereby the original idea was discarded. Nonetheless,
'Test-ServiceDaclPermission' can be used for less critical tasks.
Therefore, a 'CanRestart' property was added to the output of the
service enumeration functions such as 'Get-ServiceUnquoted' as I think
that it will add value to redteamers/pentesters by helping them
prioritise which service should be abused for escalation of privileges.
Services that can be restarted by a low privileged user will probably be
prioritised first. Additionally, manual checking whether the vulnerable
service can be restarted would not be required in most cases.
This fix addresses issue #99. While I'm not the biggest fan of
performing tests based on environment variables, I felt that making
additional Win32 API calls would have been overkill.
Addresses issue #80. This was a tricky fix because the script should
ideally handle Unicode and Ascii encoded scripts. I haven't tested
scripts with international characters but I would imagine those script
would get mangled since the decrypted output is ultimately normalized to
ascii.
This bug fix addresses issue #96. As much as a hate dropping files to
disk, this was the easiest way to preserve objects in PSv2+. If someone
want to implement the [de]serialization themselves and keep everything
in memory, please submit a PR.
Harmj0y
sagishahar
Matt Graeber
Jesse Davis
mmashwani
Jesse Davis
Stuart Morgan
PowerShellMafia
Matt Graeber